AWS Configurations/problems
300 views
Skip to first unread message
Jack L
Apr 10, 2023, 5:41:37 PM4/10/23
to Wazuh mailing list
The organization I work for is moving to be wholly on AWS and we want to use Wazuh as our SIEM - as AWS's UI requires us to jump all over the place.
We have several AWS organizations including one specifically for security monitoring/log aggregation. Within this org, we have setup our Wazuh server.
My issues are several in that it seems that I am only ingesting the cloudtrail events.
On AWS"s inspector page - it lists several things that are not reflected with wazuh.
The guardduty events are also not showing up - even used https://www.youtube.com/watch?v=7NdxbqC93tI this to assist with the configuration - if I use rules test - it is showing that they match some rules.
The dashboard is not listing accounts or regions - I thought this was fixed in 4.4.
On AWS"s inspector page - it lists several things that are not reflected with wazuh.
The guardduty events are also not showing up - even used https://www.youtube.com/watch?v=7NdxbqC93tI this to assist with the configuration - if I use rules test - it is showing that they match some rules.
The dashboard is not listing accounts or regions - I thought this was fixed in 4.4.
Any recommendations would be greatly appreciated
Here is my wodle configuration with some name replacements:
<wodle name="aws-s3">
<disabled>no</disabled>
<interval>5m</interval>
<run_on_start>yes</run_on_start>
<skip_on_error>yes</skip_on_error>
<!-- Inspector -->
<service type="inspector">
<aws_profile>default</aws_profile>
<regions>us-east-1,us-east-2</regions>
</service>
<!-- Guard Duty -->
<bucket type="guardduty">
<name>company-firehose</name>
<aws_profile>default</aws_profile>
</bucket>
<!-- Config -->
<bucket type="config">
<name>config-bucket-accountconfig</name>
<path>AWSLogs</path>
<aws_profile>default</aws_profile>
</bucket>
<!-- Cloud Trail -->
<bucket type="cloudtrail">
<name>company-cloudtrail</name>
<aws_profile>default</aws_profile>
</bucket>
<wodle name="aws-s3">
<disabled>no</disabled>
<interval>5m</interval>
<run_on_start>yes</run_on_start>
<skip_on_error>yes</skip_on_error>
<!-- Inspector -->
<service type="inspector">
<aws_profile>default</aws_profile>
<regions>us-east-1,us-east-2</regions>
</service>
<!-- Guard Duty -->
<bucket type="guardduty">
<name>company-firehose</name>
<aws_profile>default</aws_profile>
</bucket>
<!-- Config -->
<bucket type="config">
<name>config-bucket-accountconfig</name>
<path>AWSLogs</path>
<aws_profile>default</aws_profile>
</bucket>
<!-- Cloud Trail -->
<bucket type="cloudtrail">
<name>company-cloudtrail</name>
<aws_profile>default</aws_profile>
</bucket>
<!--Cloud Watch Logs -->
<service type="cloudwatchlogs">
<aws_profile>default</aws_profile>
<regions>us-east-1,us-east-2</regions>
<aws_log_groups>/aws/guardduty/malware-scan-events</aws_log_groups>
</service>
</wodle>
<service type="cloudwatchlogs">
<aws_profile>default</aws_profile>
<regions>us-east-1,us-east-2</regions>
<aws_log_groups>/aws/guardduty/malware-scan-events</aws_log_groups>
</service>
</wodle>
Jose Camargo
Apr 10, 2023, 8:34:34 PM4/10/23
to Wazuh mailing list
Hi Jack,
And then restart the manager.
To better troubleshoot this, it would be really useful if you can enable the debugging and then check when the AWS command (to pull the data) is executed, to then see what the error might be. For this, you have to modify the /var/ossec/etc/internal_options.conf file in your manager(s) in this option:
wazuh_modules.debug=2
And then restart the manager.
You will have to search then for AWS related logs in your manager's /var/ossec/logs/ossec.log file with this command:
cat
/var/ossec/logs/ossec.log | grep -i "aws"
You will see results similar to this:
wodles/aws/aws-s3 --bucket xxx --access_key xxx --secret_key xxx --aws_account_id xxx --trail_prefix xxx --only_logs_after 2023-MAR-02 --regions us-east-1 --type cloudtrail --debug 2
Then, just run again the command from your manager's /var/ossec/ directory and you will get the debugging for the command and possible errors.
I'll be awaiting your comments.
Regards,
Jose Camargo
Allex
Apr 20, 2023, 2:43:39 PM4/20/23
to Wazuh mailing list
Hi,
<wodle name="aws-s3">
<disabled>no</disabled>
<interval>5m</interval>
<run_on_start>yes</run_on_start>
<!-- Guard Duty -->
<bucket type="guardduty">
I'm having a similar issue. In my case, Wazuh seems not to be ingesting the AWS GuardDuty events.
I'm using Wazuh 4.4.1.
This is ossec.log file results:
Apr 20, 2023 @ 12:04:09.000 wazuh-modulesd:aws-s3 INFO Starting fetching of logs.
Apr 20, 2023 @ 12:04:09.000 wazuh-modulesd:aws-s3 INFO Executing Bucket Analysis: (Bucket: aws-guardduty-logs, Path: guardduty, Type: guardduty, Profile: default)
Apr 20, 2023 @ 12:04:09.000 wazuh-modulesd:aws-s3 DEBUG Create argument list
Apr 20, 2023 @ 12:04:09.000 wazuh-modulesd:aws-s3 DEBUG Launching S3 Command: wodles/aws/aws-s3 --bucket aws-guardduty-logs --aws_profile default --trail_prefix guardduty --type guardduty --debug 2
Apr 20, 2023 @ 12:04:09.000 wazuh-modulesd:aws-s3 DEBUG +++ Debug mode on - Level: 2
Apr 20, 2023 @ 12:04:09.000 wazuh-modulesd:aws-s3 DEBUG Create argument list
Apr 20, 2023 @ 12:04:09.000 wazuh-modulesd:aws-s3 DEBUG Launching S3 Command: wodles/aws/aws-s3 --bucket aws-guardduty-logs --aws_profile default --trail_prefix guardduty --type guardduty --debug 2
Apr 20, 2023 @ 12:04:09.000 wazuh-modulesd:aws-s3 DEBUG +++ Debug mode on - Level: 2
Here is my wodle configuration (ossec.conf):
<!-- Monitoring AWS based services -->
<!-- Monitoring AWS based services -->
<wodle name="aws-s3">
<disabled>no</disabled>
<interval>5m</interval>
<run_on_start>yes</run_on_start>
<skip_on_error>no</skip_on_error>
<!-- Guard Duty -->
<bucket type="guardduty">
<name>aws-guardduty-logs</name>
<path>guardduty</path>
<aws_profile>default</aws_profile>
</bucket>
</wodle>
<path>guardduty</path>
<aws_profile>default</aws_profile>
</bucket>
</wodle>
Here is aws-s3 wodle test in Wazuh-Server CLI:
root@wazuhmanager:/var/ossec/wodles/aws# ./aws-s3 -b 'aws-guardduty-logs' -l 'guardduty' -t 'guardduty' -p 'default' --debug 2
DEBUG: +++ Debug mode on - Level: 2
DEBUG: Found configuration for connection retries in /root/.aws/config
DEBUG: +++ Marker: guardduty/2023/04/20
DEBUG: ++ Skipping file with another prefix: guardduty/AWSLogs/XXXXXXXXXXXX/GuardDuty/us-east-1/2023/04/19/0f1a3397-3130-360d-beca-dd496be5b5e0.jsonl.gz
DEBUG: ++ Skipping file with another prefix: guardduty/AWSLogs/XXXXXXXXXXXX/GuardDuty/us-east-1/2023/04/19/35fcecd5-47a8-351a-b2a8-c08ab00a43ea.jsonl.gz
DEBUG: ++ Skipping file with another prefix: guardduty/AWSLogs/XXXXXXXXXXXX/GuardDuty/us-east-1/2023/04/19/49f40712-cf6a-336a-a6e2-0907293aaaf0.jsonl.gz
DEBUG: ++ Skipping file with another prefix: guardduty/AWSLogs/XXXXXXXXXXXX/GuardDuty/us-east-1/2023/04/19/67ded793-b79c-3b2d-af13-b52524317469.jsonl.gz
DEBUG: ++ Skipping file with another prefix: guardduty/AWSLogs/XXXXXXXXXXXX/GuardDuty/us-east-1/2023/04/19/8a94247e-8a1b-3514-9023-8f34cb0de719.jsonl.gz
DEBUG: ++ Skipping file with another prefix: guardduty/AWSLogs/XXXXXXXXXXXX/GuardDuty/us-east-1/2023/04/19/9ff5d863-6dec-344e-8cb3-123b83b93c86.jsonl.gz
DEBUG: ++ Skipping file with another prefix: guardduty/AWSLogs/XXXXXXXXXXXX/GuardDuty/us-east-1/2023/04/19/d758e615-367f-3980-a25f-8e895dc5406f.jsonl.gz
DEBUG: ++ Skipping file with another prefix: guardduty/AWSLogs/XXXXXXXXXXXX/GuardDuty/us-east-1/2023/04/19/db5faed8-74cb-30a0-9c0f-d174a72f263e.jsonl.gz
DEBUG: ++ Skipping file with another prefix: guardduty/AWSLogs/XXXXXXXXXXXX/GuardDuty/us-east-1/2023/04/19/e68d06dc-307d-36aa-ada9-787bf664944d.jsonl.gz
DEBUG: ++ Skipping file with another prefix: guardduty/AWSLogs/XXXXXXXXXXXX/GuardDuty/us-east-1/2023/04/19/f10509e3-6f71-3e9a-84e9-50e62f432759.jsonl.gz
DEBUG: +++ DB Maintenance
DEBUG: +++ Debug mode on - Level: 2
DEBUG: Found configuration for connection retries in /root/.aws/config
DEBUG: +++ Marker: guardduty/2023/04/20
DEBUG: ++ Skipping file with another prefix: guardduty/AWSLogs/XXXXXXXXXXXX/GuardDuty/us-east-1/2023/04/19/0f1a3397-3130-360d-beca-dd496be5b5e0.jsonl.gz
DEBUG: ++ Skipping file with another prefix: guardduty/AWSLogs/XXXXXXXXXXXX/GuardDuty/us-east-1/2023/04/19/35fcecd5-47a8-351a-b2a8-c08ab00a43ea.jsonl.gz
DEBUG: ++ Skipping file with another prefix: guardduty/AWSLogs/XXXXXXXXXXXX/GuardDuty/us-east-1/2023/04/19/49f40712-cf6a-336a-a6e2-0907293aaaf0.jsonl.gz
DEBUG: ++ Skipping file with another prefix: guardduty/AWSLogs/XXXXXXXXXXXX/GuardDuty/us-east-1/2023/04/19/67ded793-b79c-3b2d-af13-b52524317469.jsonl.gz
DEBUG: ++ Skipping file with another prefix: guardduty/AWSLogs/XXXXXXXXXXXX/GuardDuty/us-east-1/2023/04/19/8a94247e-8a1b-3514-9023-8f34cb0de719.jsonl.gz
DEBUG: ++ Skipping file with another prefix: guardduty/AWSLogs/XXXXXXXXXXXX/GuardDuty/us-east-1/2023/04/19/9ff5d863-6dec-344e-8cb3-123b83b93c86.jsonl.gz
DEBUG: ++ Skipping file with another prefix: guardduty/AWSLogs/XXXXXXXXXXXX/GuardDuty/us-east-1/2023/04/19/d758e615-367f-3980-a25f-8e895dc5406f.jsonl.gz
DEBUG: ++ Skipping file with another prefix: guardduty/AWSLogs/XXXXXXXXXXXX/GuardDuty/us-east-1/2023/04/19/db5faed8-74cb-30a0-9c0f-d174a72f263e.jsonl.gz
DEBUG: ++ Skipping file with another prefix: guardduty/AWSLogs/XXXXXXXXXXXX/GuardDuty/us-east-1/2023/04/19/e68d06dc-307d-36aa-ada9-787bf664944d.jsonl.gz
DEBUG: ++ Skipping file with another prefix: guardduty/AWSLogs/XXXXXXXXXXXX/GuardDuty/us-east-1/2023/04/19/f10509e3-6f71-3e9a-84e9-50e62f432759.jsonl.gz
DEBUG: +++ DB Maintenance
Any recommendations would be greatly appreciated.
Best regards,
Allex Vieira
Reply all
Reply to author
Forward
0 new messages